Self Improvement

US Cities Exposed. A Shodan-Based Security Study of Exposed Assets in the US. Numaan Huq, Stephen Hilt, and Natasha Hellberg

US Cities Exposed A Shodan-Based Security Study of Exposed Assets in the US Numaan Huq, Stephen Hilt, and Natasha Hellberg Trend Micro Forward-Looking Threat Research (FTR) Team A TrendLabs SM Research
of 52
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
US Cities Exposed A Shodan-Based Security Study of Exposed Assets in the US Numaan Huq, Stephen Hilt, and Natasha Hellberg Trend Micro Forward-Looking Threat Research (FTR) Team A TrendLabs SM Research Paper TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an as is condition. Contents 4 Exposed Cyber Assets 6 Exposed Cities 36 Safeguarding Against Internet Exposure 41 Conclusion 42 Appendix DISCLAIMER: At no point during this research did we perform any scanning or attempt to access any of the Internet-connected devices and systems. All published data, including screenshots, were collected via Shodan. Note that any mention of brands in this research does not suggest any issue with the related products but only that they are searchable in Shodan. The Internet of Things (IoT) is fast becoming the new norm, connecting everything from computers, mobile devices, cars, industrial robots, home appliances, and even smart clothing to the Internet. This interconnected world is very exciting and has created new and unique opportunities to improve our lives. But truth be told, today s society is adopting connected technologies at a faster rate than we are able to secure them. Caution dictates that in addition to exploring new opportunities with IoT, we also examine the implications and repercussions of an all-devices-online world. There is a strong likelihood that some of our Internet-connected devices and systems may be inadvertently exposing information about us and our surroundings online, and that could potentially jeopardize everyone s safety and security. The main goal of this research paper is to build public awareness about exposed cyber assets and highlight problems and issues associated with them. We define exposed cyber assets as Internet-connected devices and systems that are discoverable on Shodan or similar search engines, and can be accessed via the public Internet. Several research papers and conference talks have been published and presented that explore these problems and issues, but in this paper, we study exposed cyber assets from the macroscopic perspective of cities. The exposed cyber assets profiled refer to all of the popular Internet-connected devices and systems in large US cities, and allows us to do comparative analysis of cities with similar population sizes. In a follow-up research, US Cities Exposed: Industries and ICS, 1 we profiled exposed cyber assets that are critical to daily city operations (i.e., critical infrastructure and industrial control systems [ICS]). Research results revealed a significant number of exposed devices such as webcams, network-attached storage (NAS) devices, routers, printers, phones, and media players, many of which are vulnerable to exploitation and compromise. We also found a significant number of Web and servers, along with databases, including medical databases, which could potentially be compromised by determined threat actors. Finally, we profiled several vulnerabilities that the Shodan crawler scans for, and if these vulnerabilities remain unpatched then attackers can exploit them to compromise underlying systems. While the connected world struggles with questions about who is responsible for safeguarding and policing exposed cyber assets, how it should be done, and what awareness campaigns must be run to better protect cyber infrastructure, we provide some guidance by outlining a set of security best practices for businesses and home users to follow that will help them secure their Internet-connected devices against potential attacks. Exposed Cyber Assets Traditional Web search engines such as Google, Bing, and Yahoo! are great if you are looking for information and websites, but not so good if you are searching for device metadata. The solution? Shodan, a publicly available search engine for Internet-connected devices and systems. Shodan finds and lists devices and systems such as webcams, baby monitors, medical equipment, ICS devices, home appliances, databases, and others. In short, Shodan collates and makes searchable both device metadata and banner information (i.e., services running) that Internet-connected devices and systems are freely sharing with anyone who queries them. A majority of these require Internet access to function properly though some such as ICS and medical devices should never be directly connected to the Internet. If not properly configured, then by virtue of being exposed on the Internet, some of these devices and systems may be vulnerable to compromise and exploitation. There is also the elephant in the room privacy; what, if any, sensitive information is being exposed online? We define exposed cyber assets as Internet-connected devices and systems that are discoverable on Shodan or similar search engines, and can be accessed via the public Internet. Important questions that come to mind are: What potential risks are associated with exposed cyber assets? Risks include: º Exposed cyber assets could get compromised by hackers who steal sensitive data (e.g., personally identifiable information [PII], intellectual property, financial and corporate data, etc.). º Exposed cyber assets could be leaking sensitive data online without their owners knowledge (e.g., open directories on Web servers, unauthenticated webcam feeds, exposed ICS Human Machine Interfaces [HMIs], etc.). º Hackers use lateral movement strategies to gain entry into a corporate or an ICS network by compromising exposed cyber assets then commit espionage, sabotage, or fraud. º Compromised cyber assets can be used to run illegal operations such as launch distributed denial-of-service (DDoS) attacks, become part of botnets, host illegal data, be used for fraud, and so on. 4 US Cities Exposed º Compromised cyber assets can be held hostage for ransom. This is especially damaging if they are critical to an organization or individual s operations. º Cyber assets that operate critical infrastructure can jeopardize public safety if compromised. We also compiled a list of recent notable cyber intrusions in the Appendix, some of which demonstrate the real-world risks that exposed cyber assets pose. Why are cyber assets exposed on the Internet? Common reasons for device and system exposure online include: º Incorrectly configured network infrastructure that allow direct device or system access º Devices and systems need to be Internet connected in order to function properly º Remote access is enabled on devices and systems for remote troubleshooting º Remote access is enabled on devices and systems for remote operations Who is targeting exposed cyber assets? Threats come from a variety of sources, depending on the types of cyber assets targeted. Actors include: º Nation-states, both developed and developing, gather intelligence using software espionage tools and customized malware. º Criminal syndicates include both criminal gangs who target consumers using different schemes such as ransomware to profit and those contracted by national governments for various political cyber attacks, including cyber espionage and subterfuge. º Cyberterrorists launch disruptive or destructive cyber attacks to cause physical destruction of property or potential loss of life and spread fear. º Competitors look for information in order to gain strategic advantages over others in the industry. º Hacktivists or Internet activists attack cyber assets to draw attention to their causes. º Script kiddies represent the vast majority of threat actors who scan the Internet to discover exposed IoT devices either out of curiosity or to cause mischief. Today s digital warfare is asymmetrical with falling costs for those bent on disruption and fixed or increasing costs for the society disrupted. The cost of finding and exploiting critical infrastructure will continue to fall. The marginal cost of copying vulnerable infrastructure lists or exploits will tend toward zero. The cost of causing disruptions for hackers will continue to fall while that of disruption remediation will remain relatively constant or increase. 2 5 US Cities Exposed Exposed Cities Scanning the Internet is important because security flaws can be quickly identified or discovered and fixed before they are exploited. But scanning the Internet is difficult, time-consuming, and poses a set of unique challenges. For our research on exposed cyber assets, we bypassed all of the issues or hurdles and simply used a public data source Shodan. Technical assumptions and observations about our use of Shodan data in this project can be found in the Appendix that discusses what Shodan is and how we analyzed the Shodan data. We examined the Shodan US scan data for February The data set contains a total of 178,032,637 records generated from scanning 45,597,847 unique IPv4 and 256,516 unique IPv6 addresses. The raw scan data was indexed using Elasticsearch and queried using Kibana, which allowed us to search more than 550 fields versus more than 40 fields using Shodan s Web interface. In this research, we present data on exposed cyber assets in the top 10 largest US cities by population New York City, Los Angeles, Chicago, Houston, Philadelphia, Phoenix, San Antonio, San Diego, Dallas, and San Jose. The cities were selected using the 2010 US Census data. 3 We excluded cloud service providers such as Amazon, Azure, Akamai, CloudFlare, and others from the queries so we can focus on actual connected versus online virtual devices. It is also worth noting that not all fields in every scan record were populated (e.g., not every record has the device field populated). Cyber Asset Exposure Statistics in the Top 10 US Cities by Population This section provides a general overview of cyber asset exposure numbers and all types of exposed devices, systems, products, operating systems (OSs), and other assets that are visible in the February 2016 Shodan US scan data for the top 10 US cities by population. Exposed Cyber Assets in the 10 Largest US Cities by Population It is interesting to note that the volume of exposed cyber assets in large US cities can be disproportionate to their population size. For example, the February 2016 Shodan US scan data shows 3,900,208 exposed cyber assets in Houston, Texas compared with 1,031,325 in New York City, New York. New York City has a far bigger population than Houston, yet it has 3.78 times fewer exposed cyber assets compared with Houston. 6 US Cities Exposed Los Angeles Houston Chicago Dallas Phoenix San Jose New York San Antonio San Diego Philadelphia 0 2.5M 5M Figure 1: Number of exposed cyber assets in the 10 largest US cities by population How Are Exposed Devices Connected to the Internet? It is not surprising that most devices are connected to the Internet via modems. Interestingly, we also saw devices connected via virtual private networks (VPNs) and virtual LANs (VLANs) in the Shodan scan data. Should not these devices be private and not respond to queries from the Shodan crawler? Google Fiber is slowly being rolled out to many US cities so it is also not surprising to discover Google Fiber network boxes in the Shodan data. TOTAL 436,531 EtherNet/Modem Generic tunnel/vpn Others (DSL, VLAN, IPIP/SIT, IPSec/GRE, SLIP, Jumbo EtherNet, GIF, Google, PTPP) 97.55% 1.63% 0.82% Figure 2: Distribution of means by which devices access the Internet 7 US Cities Exposed What OSs Run on Exposed Internet-Connected Devices? Devices that run Linux dominated in terms of OS found by the Shodan crawler. These are predominantly IoT devices that run embedded Linux though a fair number of Web servers that run Linux, Apache, MySQL, PHP (LAMP) are also in the mix. The Windows OS family was also, unsurprisingly, largely prominent. Mac OS X exposure was negligible compared with that of Linux and Windows devices. TOTAL 372,034 Linux 3.x Windows 7/8 Windows XP Linux 2.6.x Others FreeBSD, HP-UX, Mac OS X, OpenBSD, Solaris, other Linux versions) 54.40% 16.88% 14.62% 12.91% 1.19% Figure 3: Distribution of exposed device OSs Opportunistic attackers can take this observation as insight into what OS they should focus on finding vulnerabilities for if they want to ensure a broad victim base. Top 20 Exposed Products As expected, the list of exposed products (not to be confused with that of device types, which we will cover later) is dominated by Web servers. Shodan also discovered large numbers of Internet-facing MySQL, Simple Mail Transfer Protocol (SMTP), Secure Shell (SSH), and File Transfer Protocol (FTP) servers. Compared with desktops, servers are more vulnerable to zero-day exploits because when compromised, they can be leveraged to attack users that connect to them. On the flip side, a vast majority of daily cyber attacks use weaponized exploits that have been around for a long time instead of zero-day exploits. Administrators should regularly apply security patches to servers in order to prevent hackers from exploiting known patched vulnerabilities. 8 US Cities Exposed Apache HTTPD NGINX Exim SMTPD MySQL OpenSSH Microsoft IIS HTTPD Squid HTTP proxy Microsoft HTTPAPI HTTPD Postfix SMTPD Pure-FTPD Microsoft FTPD Dropbear SSHD SonicWALL firewall HTTP config Apache Tomcat/Coyote JSP engine ProFTPD micro_httpd LiteSpeed HTTPD GoAhead-Webs embedded HTTPD SurgeFTPD Cisco IOS HTTP config M 2.5M Figure 4: Top 20 exposed products Top 20 Exposed Vulnerable Products The Shodan crawler tests for specific vulnerabilities CVE (digital video recorder [DVR] configuration disclosure), CVE (argument injection in PostgreSQL), CVE (Heartbleed, OpenSSL), CVE (Freak, OpenSSL), and CVE (Jetty remote unauthenticated credential disclosure). It is good to see that aside from a handful, the vast majority of servers scanned by Shodan are patched against these vulnerabilities. Compared with the total number of servers scanned by Shodan, the number of vulnerable servers is negligible. In a targeted attack, threat actors attempt to identify vulnerabilities in the exposed product and use that knowledge to craft social engineering attacks. 9 US Cities Exposed Apache HTTPD Apache Tomcat/Coyote JSP engine Microsoft IIS HTTPD DD-WRT milli_httpd Jetty Allegro RomPager Exim SMTPD SonicWALL firewall HTTP config Fnord HTTPD MiniServ WatchGuard Firewall HTTP config NGINX GoAhead-Webs HTTPD Orion Java Application Server HTTPD Sun GlassFish UW IMAPD Cisco PIX Device Manager Rumpus HTTPD Microsoft IIS Tridium Niagara HTTPD 0 1K 2K Figure 5: Top 20 exposed vulnerable products Top 20 Exposed Device Types Firewalls, webcams, wireless access points (WAPs), printers, routers, and phones dominated the exposed device types seen. The admin interface of the firewall is exposed and this is how Shodan identifies it as such. Attackers can attempt brute-force attacks to gain entry into the firewall s admin interface and, once inside, change the firewall rules to allow malicious traffic into the network. We also discovered a good number of exposed storage devices, most probably NAS devices. The recent DDoS attack against used compromised routers, webcams, and DVRs to generate a massive volume of network traffic directed at the website US Cities Exposed Firewall Webcam WAP Router Printer PBX Miscellaneous security device Miscellaneous storage device Specialized device Switch Media device VoIP phone Broadband router Remote management device Print server VoIP adapter Terminal server Miscellaneous telecommunications device Load balancer VoIP adapter 0 50K 100K Figure 6: Top 20 exposed device types Exposed Devices in Top 10 US Cities by Population This section digs deeper into exposed devices such as webcams, NAS and media devices, routers, printers, and phones, visible in the February 2016 Shodan scan data for the top 10 US cities by population. Exposed devices are at risk of data theft, lateral movement, forced participation in DDoS attacks, and other threats. Exposed Webcams In the public s perception, it seems that exposed cyber assets are synonymous with exposed webcams. This is probably because webcams are easily visible in homes, public places, retail stores, and so on; easy to find online; and extensively used in everyday devices such as phones and laptops. Webcams typically run a light HTTP or HTTP Secure (HTTPS) Web server that allows users to log in and use them. Shodan data shows that three webcam models dominate the results security camera manufacturers GeoVision and Avtech and home webcam maker D-Link. 11 US Cities Exposed Houston Chicago San Jose Phoenix Los Angeles Philadelphia New York San Diego San Antonio Dallas 0 3K 6K Figure 7: Number of exposed webcams GeoVision GeoHTTPServer for webcams D-Link DCS-930L webcam HTTP interface Avtech AVN801 network camera D-Link DCS-932L webcam HTTP interface 19.73% 12.92% 11.51% 11.35% TOTAL 17,508 D-Link DCS-932LB1 webcam HTTP interface Netwave IP camera HTTP config D-Link DCS-934L webcam HTTP interface Swann DVR security camera system HTTPD D-Link DCS-933L webcam HTTP interface D-Link DCS-5020L webcam HTTP interface 10.38% 9.69% 7.25% 5.96% 5.93% 5.28% Figure 8: Distribution of exposed webcams by product name 12 US Cities Exposed Searching in the National Vulnerability Database (NVD), 5 we found eight vulnerabilities that directly or indirectly affect D-Link cameras, five that directly or indirectly affect GeoVision cameras, and only three that directly or indirectly affect AVTECH cameras. Just because there is only a small number of known vulnerabilities does not make webcams safe to use. Webcams are rarely patched and most do not have auto-update functionality. This means webcams will remain vulnerable for months or even perpetually after being sold. The Achilles heel of webcams users do not change their default passwords or use weak passwords that are vulnerable to brute-force or dictionary attacks. Exposed NAS Devices NAS devices are popular solutions for sharing files in collaborative work environments, system backups, and data storage. We did not find a lot of exposed NAS devices in the US cities that we profiled probably because either they are not widely used or they have been secured against accidental on
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks